Chromium Integration into NetBlame WPA Network Plug-in #50
Description
The NetBlame Network Plug-in for WPA integrates: TcpIp, Winsock, WebIO/WinHTTP, WinINet, DNSClient
to create a unified view of network activity within Windows and its applications.
At the time that the NetBlame code was initially created (2022-3) the ETW emitted by the Chromium engine had many issues, and was inadequate to correlate with other ETW Network-related events (primarily Winsock).
More recently, the Chromium ETW events have become substantially more robust and useful. These records generally originate via the Perfetto layer, translated to ETW, and often including JSON data.
For example, the event HOST_RESOLVER_DNS_TASK_EXTRACTION_RESULTS is one of several which expose DNS-related activity, and was added to the Chromium codebase in January 2024.
The event URL_REQUEST_START_JOB contains the URL and method (GET, POST, etc.), and was added to the codebase just 3 months ago (September 2025).
The Chromium network engine works (like most network activity in Windows) on top of Winsock, and therefore the NetBlame plug-in reveals Winsock activity within the browser.
The goal for the master NetBlame URL table will be to correlate underlying Winsock and DNS activity with the URLs accessed by the browser (Edge, Chrome, etc.).
NetBlame will also produce a Chromium-specific table to expose the internal data gleaned and correlated from the ETW events.
Since Chromium's ETW events are potentially prodigious, they will be filtered to only those of greatest utility within the WPR Profile file: EdgeChrome.15002.wprp